/*
 * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.web.header;

import java.io.IOException;
import java.util.List;

import jakarta.servlet.FilterChain;
import jakarta.servlet.RequestDispatcher;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
import jakarta.servlet.http.HttpServletResponse;

import org.springframework.security.web.util.OnCommittedResponseWrapper;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;

/**
 * Filter implementation to add headers to the current response. Can be useful to add
 * certain headers which enable browser protection. Like X-Frame-Options, X-XSS-Protection
 * and X-Content-Type-Options.
 * 为当前响应添加报头的过滤器实现。可以添加某些头，启用浏览器保护。像：(参考：https://www.cnblogs.com/goloving/p/14891370.html)
 * X-Frame-Options: 主要用来配置哪些网站可以通过frame来加载资源。它主要是用来防止UI redressing补偿样式攻击
 * X-XSS-Protection:这个响应头是用来防范XSS的  跨站脚本攻击 是一种常见的Web应用程序安全漏洞，它允许攻击者通过在网页中注入恶意脚本代码来执行攻击
 * X-Content-Type-Options:主要用来防止在IE9、chrome和safari中的MIME类型混淆攻击
 * HeaderWriterFilter可以通过HttpSecurity#headers()来定制
 * @author Marten Deinum
 * @author Josh Cummings
 * @author Ankur Pathak
 * @since 3.2
 */
public class HeaderWriterFilter extends OncePerRequestFilter {

	/**
	 * The {@link HeaderWriter} to write headers to the response.
	 * {@see CompositeHeaderWriter}
	 */
	// 要写入的头信息，默认情况下存在5个，即下面构造方法上的注释
	private final List<HeaderWriter> headerWriters;

	/**
	 * Indicates whether to write the headers at the beginning of the request.
	 */
	// 默认是false 也就是在过滤器都执行完成后，回到该过滤器时再向response中写入
	private boolean shouldWriteHeadersEagerly = false;

	/**
	 * Creates a new instance.
	 * @param headerWriters the {@link HeaderWriter} instances to write out headers to the
	 * {@link HttpServletResponse}.
	 */
	// 构造方法，需要在构造该过滤器时就传入要写入ResponseHeader的头信息
	// 具体确定要写入那些头信息是由HeadersConfigurer来决定的
	// 默认是以下几个头信息
	// 0 = {XContentTypeOptionsHeaderWriter}  X-Content-Type-Options: nosniff(这个是唯一正确的设置，必须这样)
	// 1 = {XXssProtectionHeaderWriter}  X-XSS-Protection: 0(禁用XSS保护)
	// 2 = {CacheControlHeadersWriter}
	//    Header [name: Cache-Control, values: [no-cache, no-store, max-age=0, must-revalidate]]
	//    Header [name: Pragma, values: [no-cache]]
	//    Header [name: Expires, values: [0]]
	// 3 = {HstsHeaderWriter}  Strict-Transport-Security: max-age=31536000 ; includeSubDomains
	// 4 = {XFrameOptionsHeaderWriter}  X-Frame-Options: DENY(页面不能被嵌入到任何iframe或frame中)
	public HeaderWriterFilter(List<HeaderWriter> headerWriters) {
		Assert.notEmpty(headerWriters, "headerWriters cannot be null or empty");
		this.headerWriters = headerWriters;
	}
	// 具体的过滤器执行方法
	@Override
	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
			throws ServletException, IOException {
		if (this.shouldWriteHeadersEagerly) {
			// 如果是提前写入响应头，则是直接调用了writeHeaders方法，并继续执行过滤器
			doHeadersBefore(request, response, filterChain);
		}
		else {
			// 默认走该方法 再过滤器执行完成后，再写入头信息
			doHeadersAfter(request, response, filterChain);
		}
	}

	private void doHeadersBefore(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
			throws IOException, ServletException {
		// 写入头信息
		writeHeaders(request, response);
		// 执行过滤器
		filterChain.doFilter(request, response);
	}

	private void doHeadersAfter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
			throws IOException, ServletException {
		// 对Req和Resp进行一个包装
		HeaderWriterResponse headerWriterResponse = new HeaderWriterResponse(request, response);
		HeaderWriterRequest headerWriterRequest = new HeaderWriterRequest(request, headerWriterResponse);
		try {
			// 先执行后续过滤器
			filterChain.doFilter(headerWriterRequest, headerWriterResponse);
		}
		finally {
			// 执行完后续过滤器，回到该过滤器后，写入响应头信息
			headerWriterResponse.writeHeaders();
		}
	}

	void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
		for (HeaderWriter writer : this.headerWriters) {
			// 将头信息写入HttpServletResponse中
			writer.writeHeaders(request, response);
		}
	}

	/**
	 * Allow writing headers at the beginning of the request.
	 * @param shouldWriteHeadersEagerly boolean to allow writing headers at the beginning
	 * of the request.
	 * @since 5.2
	 */
	public void setShouldWriteHeadersEagerly(boolean shouldWriteHeadersEagerly) {
		this.shouldWriteHeadersEagerly = shouldWriteHeadersEagerly;
	}

	class HeaderWriterResponse extends OnCommittedResponseWrapper {

		private final HttpServletRequest request;

		HeaderWriterResponse(HttpServletRequest request, HttpServletResponse response) {
			super(response);
			this.request = request;
		}

		@Override
		protected void onResponseCommitted() {
			writeHeaders();
			this.disableOnResponseCommitted();
		}

		protected void writeHeaders() {
			if (isDisableOnResponseCommitted()) {
				return;
			}
			HeaderWriterFilter.this.writeHeaders(this.request, getHttpResponse());
		}

		private HttpServletResponse getHttpResponse() {
			return (HttpServletResponse) getResponse();
		}

	}

	static class HeaderWriterRequest extends HttpServletRequestWrapper {

		private final HeaderWriterResponse response;

		HeaderWriterRequest(HttpServletRequest request, HeaderWriterResponse response) {
			super(request);
			this.response = response;
		}

		@Override
		public RequestDispatcher getRequestDispatcher(String path) {
			return new HeaderWriterRequestDispatcher(super.getRequestDispatcher(path), this.response);
		}

	}

	static class HeaderWriterRequestDispatcher implements RequestDispatcher {

		private final RequestDispatcher delegate;

		private final HeaderWriterResponse response;

		HeaderWriterRequestDispatcher(RequestDispatcher delegate, HeaderWriterResponse response) {
			this.delegate = delegate;
			this.response = response;
		}

		@Override
		public void forward(ServletRequest request, ServletResponse response) throws ServletException, IOException {
			this.delegate.forward(request, response);
		}

		@Override
		public void include(ServletRequest request, ServletResponse response) throws ServletException, IOException {
			this.response.onResponseCommitted();
			this.delegate.include(request, response);
		}

	}

}
